Login Sign Up

CVE-2021-30246

9.1 CRITICAL

📋 TL;DR

The jsrsasign package for Node.js incorrectly validates some invalid RSA PKCS#1 v1.5 signatures as valid, potentially allowing attackers to bypass signature verification. This affects all applications using jsrsasign for cryptographic signature validation. While no practical attacks are currently known, the vulnerability could undermine authentication and integrity mechanisms.

💻 Affected Systems

Products:
  • jsrsasign
Versions: All versions through 10.1.13
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects RSA PKCS#1 v1.5 signature validation. Applications using other signature algorithms or cryptographic functions are not affected.

📦 What is this software?

Jsrsasign by Jsrsasign Project

View all CVEs affecting Jsrsasign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could forge digital signatures to bypass authentication, tamper with signed data, or impersonate legitimate entities in systems relying on RSA signature verification.

🟠

Likely Case

Limited impact due to the specific nature of invalid signatures that trigger the bug and lack of known practical exploitation methods.

🟢

If Mitigated

Minimal impact if proper signature validation controls and monitoring are in place, though cryptographic integrity would still be compromised.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

No known practical exploitation methods exist. Exploitation would require generating specific invalid signatures that trigger the bug.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.14 and later

Vendor Advisory: https://github.com/kjur/jsrsasign/releases/tag/10.1.13

Restart Required: Yes

Instructions:

1. Update jsrsasign to version 10.1.14 or later using npm: npm update jsrsasign. 2. Restart your Node.js application. 3. Verify the update was successful.

🔧 Temporary Workarounds

Temporarily disable RSA PKCS#1 v1.5 signature validation

all

Disable or replace RSA PKCS#1 v1.5 signature validation with alternative methods if possible

🧯 If You Can't Patch

  • Implement additional signature validation checks in application code
  • Monitor for unusual signature validation patterns in logs

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list jsrsasign | grep jsrsasign

Check Version:

npm list jsrsasign

Verify Fix Applied:

Verify installed version is 10.1.14 or later: npm list jsrsasign

📡 Detection & Monitoring

Log Indicators:

  • Failed signature validation attempts
  • Unexpected successful signature validations

Network Indicators:

  • Unusual authentication patterns in API calls using signatures

SIEM Query:

Search for application logs containing signature validation errors or unexpected successes

📊 Metadata

CVE ID: CVE-2021-30246
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-347
Published: April 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30246, you might also want to check these:

CVE-2022-24884 10.0

This vulnerability in ecdsautils allows attackers to forge ECDSA signatures by providing zero-value ...

Same vulnerability type (CWE-347)
CVE-2023-25574 10.0

CVE-2023-25574 is a critical authentication bypass vulnerability in jupyterhub-ltiauthenticator's LT...

Same vulnerability type (CWE-347)
CVE-2024-45409 10.0

CVE-2024-45409 is a critical authentication bypass vulnerability in the Ruby SAML library where SAML...

Same vulnerability type (CWE-347)